Everything You Wanted in Digital Advertising

You want it? You got it. Fraudsters -- aka "entrepreneurs" -- will manufacture whatever you want to buy. For at least the last decade, marketers have wanted to buy large quantities of digital ads, at low CPM prices, with the appearance of performance. The best fraudsters, oops "entrepreneurs," give the people what they want -- counterfeit goods that look very much like the real thing. What follows is a summary of evidence of what you have been buying. The evidence has been there all along. You just may not have noticed.

Fake Ads

In the good old days of digital advertising, industrious fraudsters set up websites and bought bot traffic to manufacture ad impressions to sell. Remember Boris from Brooklyn (2013)? "He freely admits he buys visitors to his websites. "If I can buy some traffic and it gets accepted, why not?” he says. And if advertisers don’t like it, he adds, “they should go buy somewhere else. They want to pay only a little and get a lot of traffic and results. If they want all human traffic, they should go direct to the publisher and pay more."

Fraudsters then optimized to make more money by doing what is known as naked ad calls -- invoking just the ads, without the webpages. By saving time and bandwidth they could load even more ads per time period and maximize profits. They passed fake page urls in the bid requests to trick buyers' reporting. Often those pages didn't even exist -- "404 errors" -- but didn't matter. They still got away with it and made money. On occasion someone bothered to check -- remember the 404bot example? Sadly, the fraud detection company that named it 404bot didn't even understand that there were no bots, just faked bid requests. If the page didn't exist, a bot could not have visited it to cause ads to load. Duh.

More recently, fraudsters even dispensed with loading the ads themselves. They didn't need to. By just faking the bid requests and making it appear that ads served, they can already get paid. This is exactly what Phunware did to Uber -- "Guys it's time to spin some more BS to Uber." They invoiced Uber for ads that never served and clicks that were never delivered. Everything looked beautiful in the reports (all the data was fabricated); Uber didn't notice until they turned off the ad spending. The app installs continued, unchanged. This is exactly what is happening in CTV advertising today -- 100% faked bid requests, CTV ads that never ran. In every single one of the -- TWELVE (12) -- CTV fraud cases since 2020, malicious code was used to create fake bid requests. The code even randomized the device types, IP addresses, and app names to make it more realistic. No TVs, no streaming sticks, no CTV apps were needed for the fraudsters to pull off these heists of millions of dollars of advertisers' budgets.

With FouAnalytics, the in-ad measurement helps to confirm whether the ad was served and rendered on screen, and if so where the ad actually went.

Fake Clicks

If you bought all those ad impressions and didn't get any clicks, you'd soon grow suspicious. So, since the earliest days of ad fraud, which is the same as the earliest days of digital advertising, fraudsters had their bots click on the ads too. Early on, they were not very sophisticated, so the bots clicked on all the ads, resulting in 100% click through rates that could be seen in the data -- IF you asked for line item details (see slide below). But most advertisers only got monthly totals and averages, and thus could not see the fraud that was there. When they saw the average of 9.4% CTRs, they thought their campaigns were working really well, and allocated even more dollars to it, sending even more money to the bad guys.

Bots are not just clicking on the ads. Bad guys can program their bots to create fake mouse movements, page scrolling, and touch events too. That makes them appear more like real users navigating the page and helps them defeat fraud detection. Some bad guys were openly mocking the detection vendors by deliberately drawing the satanic symbol on the page with mouse movements.

Click fraud was so prevalent that companies sued each other for doing too much of it. Ad tech company Criteo sued rival SteelHouse for "counterfeit click fraud scheme." Steelhouse sues Criteo for the same thing - counterfeit clicks that stole business from them. Each company was doing so much click flooding that the other lost business because their clicks were not the "last clicks." In essence, they sued each other for being so unfair with the amount of click fraud they were doing. Hilariously, both companies dropped their respective lawsuits within months of filing them. Apparently they realized neither of them wanted the lawsuits to proceed to discovery. That tells you something, doesn't it?

With FouAnalytics, click pattern analysis reveals which clicks are bots. See the chart on the lower right of the following slide. Larger red circles means the bots are repeatedly clicking on the same x,y coordinates. You can't get a whole bunch of humans to click on exactly the same pixel location on the screen. Bot activity is easily seen and filtered.

Fake Traffic

Some advertisers want traffic to their sites. So that's what entrepreneurial traffic sellers manufacture for them. They may not even need to know how to create and maintain vast botnets. They simply "rent time" on botnets that already exist. These are traffic re-sellers, doing something like "buy at wholesale, sell at retail." They simply instruct the botnet to create X million pageviews based on the amount of traffic that was purchased.

Just like fraudsters optimized from webpages to naked ad calls to faked bid requests, these traffic resellers can also optimize and save money, but not even sending any traffic using bots. They can simply write false data into the traffic buyers' Google Analytics to create the appearance of traffic; no bots were even needed. See the following demo where a python script can create the appearance of traffic, lots of it, in Google Analytics. It can also fake the referrer to make the traffic appear to be from "social." It can fake all the page urls, the language, the time on site, the pages per visit, literally every possible metric that the buyer cared about. What kind of traffic do you want to buy? They'd happily manufacture it for you.

With FouAnalytics, there are cybersecurity measures built-in to prevent such tampering. If you haven't upgraded to Google Analytics 4, do so immediately because it makes it slightly harder for attackers to write false data into your GA. Many practitioners use FouAnalytics to help troubleshoot discrepancies in their Google Analytics and Adobe Analytics. Those discrepancies are from the false data mentioned above, and from the fact that GA filters some bots, bot doesn't tell you which bots they were and how much. FouAnalytics records everything so you are able to use the data to troubleshoot.

Fake Leads

Some advertisers think they are clever and able to avoid most of the fraud because they only pay when they get the lead. But what they should realize, as we've been saying this entire article, is that fraudsters will manufacture the exact thing you want to pay for, in this case the lead. It is trivial for form-filling bots to complete lead forms and submit them, so the perp can get paid the cost per lead. For at least the last decade, university marketers have struggled with fake leads. They would get fully completed lead forms purportedly from high schoolers. All the data looks legit. But when a real human followed up and called the number on the lead form, the high schooler tells them they've never heard of the university let alone submitted a lead form. Oh, captchas are completely useless against bots. They don't deter bots in the slightest; they just make the experience more annoying for humans. Here's an article from 2013 showing bots solving captchas.

Don't believe me? Well, you don't have to. Here's a funny case of fraudster repeatedly winning T-Mobile’s promotional contests. An amateur botmaker automated the process of submitting thousands of sweepstakes entries to increase his chances of winning. His form-filling bot bypassed captchas and even randomized fake names, email addresses, and phone numbers. But this botmaker wanted all the gift cards that he won to be mailed to the same place, for convenience. No one noticed for a while, but then some hawk-eyed redditor noticed that "nearly a third of the publicly listed winners came from a Pennsylvania town with a population of less than 4,000. Players wondered: What was in the water in Chadds Ford, Pennsylvania?" The jig was up and the scam was stopped -- because T-Mobile stopped running the sweepstakes. "Fraud, much like activity of this kind isn't obvious unless the person deploying them makes some kind of mistake. Most fraud is just not seen. It's there. But it’s only seen when bad guys screw up.”?

Fake Sales

If you've stuck with me so far, you're brave. You need to be even more brave for this next section. Many advertisers believe the digital ads worked and say they even have sales to prove it. But most of those sales would have happened anyway, without the advertising. See; Green-field Advertising. For this article let's stay focused on fraud and how bad guys fake the sales.

This form of fraud is equivalent to app install fraud (like what affected Uber), where bad guys get paid on a cost-per-install ("CPI") basis. The app installs had already occurred. But the bad guys falsified the analytics to make it appear that they caused the install, so they can earn the CPI under false pretenses. Similarly, the sales had already occurred. Fraudsters trick the attribution and analytics to award them the revenue share. By sending a large number of false clicks -- i.e. click flooding -- the fraudster increases the chances that their click is the "last click" for attribution purposes, so they can get paid.

Remember Criteo and Steelhouse suing each other, as mentioned above? Both of them were doing vast amounts of click flooding, trying to be the last click, so they would get credit for the sale. The sales had already occurred or would occur anyway. The advertiser should not have wasted money paying for it. This is also in many ways similar to affiliate fraud, where the fraudster stuffed cookies in real human users' browsers. When those humans completed purchases, the affiliate fraudster earned the revenue share via cheating. The more cookies they stuffed, the higher their chances of earning the revenue share on completed sales. As you can see, all of these sales occurred or would have occurred anyway. And the forms of fraud related to sales are all about falsifying the analytics to claim credit under false pretenses. If you ran the "turn-off" experiment that Uber did, you will see your sales continue, just like Uber saw their app installs continued, despite turning off $120 million of paid app-install spend.

Fake Metrics

While they are doing the ad fraud, the bad guys might as well make the metrics look good so the advertisers keep spending. In addition to falsifying the clicks, as we saw above, they can alter metrics like viewability. This practice is widespread but rarely exposed. In this case, it was exposed Newsweek Media Group Websites Ran Malicious Code That Altered Viewability Measurements. Why stop at just viewability, why not falsify every other metric that advertisers look at. After all, the good guys made it super easy. By loading simple images like firstQuartilePixel.gif, midpointPixel.gif, thirdQuartilePixel.gif, or completePixel.gif, fraudsters can make it appear that CTV or video ads were watched to a particular point -- firstQuartile, midpoint, thirdQuartile, or complete. Ever wonder why you keep seeing 90 - 95% completion rates for your video ads? Yeah, it's that easy to fake. Humans are not watching that many video ads to completion.

Further, bid requests and code on webpages literally say IVT=1 or IVT=0 ("invalid traffic" bots = yes or no). Bad guys just write IVT=0 (not a bot) in the bid requests and the ads get served. Yeah, it's that easy to fake. Every click tracker url is also in the clear and can be directly invoked by algorithms to make it appear there was a click. When bad guys mess up, or get too greedy, we can see it in the data. On many occasions, I have observed greater than 100% click rates -- i.e. more clicks than there were ads served. Often this occurs when the campaign ends, but no one told the bots to stop faking the clicks. Ads are no longer being served, but the reporting still shows clicks. What did those bots click on. The fraud is hilariously easy to spot, if you decided to look. I have looked for the last decade, and these are just some of the stories.

So What?

After reading the above, how much of the ads, clicks, traffic, leads, sales and metrics from the last decade would you consider to be real? Don't be discouraged if you spent money on it, even lots of money, over the last decade. Be ENCOURAGED that you now know "how the magician did the trick" -- what is illusion and what might be real. Look more closely at the data. Ask more questions. Ask harder questions of the vendors you buy from. Run experiments, like turning off some campaigns, to see if business outcomes change. If they don't change, then make further moves. You have the opportunity to make digital marketing better. Know that ad tech vendors sold you snake oil in the past. Fraud detection was not catching most things. But going forward, you can be proactive in reducing fraud and waste, no specialized tools required.

Have a look at one more thing in the meantime: Green-field Advertising